Thursday 3 March 2016

RIP IDA – users and their expressed, tacit and created needs for the truth

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.

Last heard of, Stephen Dunn wrote a blog post with Janet Hughes, please see RIP IDA – what they omitted from the obituary. That was about GOV.UK Verify (RIP) and so is his latest contribution, Meeting user needs:
The GDS Design Principles state that services should start with user needs. To pass the Digital by Default Service Assessment for a live service, the service manager must demonstrate that the team building [the] service understands user needs and has undertaken research to develop a deep knowledge of who the service users are and what that means for the design of the service.
Younger readers may have gained the impression inadvertently given by GDS that researching user needs is a new invention of GDS's. No. Eliciting user needs has been recognised as part of requirements engineering from the year dot. Please see for example Professor Ian Sommerville's Software Engineering, first published in 1982.

A lot of research into requirements engineering has already been conducted. Please see for example either the British Computer Society's syllabus for their exam in the subject or the US Software Engineering Institute's practice area framework for requirements engineering.

GDS are late to the party with their discovery, (according to Mr Dunn it's a GDS discovery), that users have a "tacit need" for their personal information to be held securely and for the GOV.UK Verify (RIP) registration process not to be "stressful or confusing":
Through the research we have conducted, we have been able to distil 4 tacit user needs for GOV.UK Verify [RIP] beyond the user’s expressed need, and we have been using these to prioritise our work to develop and improve the service.
Who knew?


GDS's repeated claim to give unique prominence to user needs is untenable. The rest of Whitehall and local government have a track record stretching back decades before GDS existed of taking user needs into account.

According to the UK parliament's Public Accounts Committee (PAC) GDS ignore user needs anyway when those needs obstruct GDS's superior creed of digital-by-default, please see The Common Agricultural Policy Delivery Programme (p.5):
GDS’s focus on developing a digital front-end to allow farmers to apply online, which was not a European Commission requirement, was inappropriate for farmers ...
Mr Dunn repeats the creed when he says that "there is assisted digital support in place within each service for those who need support to use a digital service".

That is questionable, please see GDS & assisted digital – the project that keeps on starting. It is not clear what support GDS are offering members of the public.

The PAC point out that GDS couldn't even provide the support necessary to the Rural Payments Agency (also p.5):
GDS introduced a level of innovation and risk to the Programme, without assessing whether the Department was capable of managing the changes, and did not provide sufficient support during implementation.
He repeats the creed when he says that "we are making sure that GOV.UK Verify [RIP] is interoperable with other national and international standards and systems".

We have yet to see if GOV.UK Verify (RIP) is interoperable with Scotland's separate national identity assurance scheme, myaccount, and whether it is up to the standards required by the European Union's Regulation 910/2014, eIDAS. We need to see this interoperability in ... operation for ourselves, we can't take it on trust.

"We’re building GOV.UK Verify [RIP] for the whole UK adult population. Our demographic coverage target is to be able to serve 90% of the UK adult population by April 2016". That's just a few weeks away and the claimed Account creation success rate by 28 February 2016 was still only 72% according to GOV.UK Verify (RIP)'s dashboard on the GOV.UK Performance platform.

Repeating the creed like that doesn't achieve the 90% coverage target.

Experian is one of GDS's GOV.UK Verify (RIP) "identity providers". They say that they have identified some databases full of our personal information which, if only they could have access to them in addition to all our credit history, would allow them to improve coverage.

What databases are these? Experian won't say. Neither will GDS, despite having promised to, 15 months ago on 1 December 2014. So much for that other contention in the creed to the effect that GDS are uniquely "open".

Turning to the matter of privacy, Mr Dunn says:
Tacit need 2: I need to be safe and secure

Some of the things we do in the service to help meet this need are:
  • ...
  • designing and building GOV.UK Verify to protect users’ privacy, in line with principles developed by independent privacy and consumer experts ...
The Privacy and Consumer Advisory Group have devised nine principles of identity assurance for GOV.UK Verify (RIP) and GDS do not obviously abide by a single one of them. They just keep dutifully saying that they do.

Mr Dunn repeats the creed when he says that GDS are "requiring GOV.UK Verify [RIP] certified companies [previously known as "identity providers"] to be certified as meeting published standards for identity assurance and information security, and making them liable to their users if they fail to meet the required standards".

How can he say this when he must know that the Post Office, for example, one of GDS's "identity providers", is not certified?

We're talking about tScheme certification here. That's what was promised by GDS back in April 2013. And again in January 2014.

Janet Hughes, the GOV.UK Verify (RIP) programme director, now says "Post Office uses the same system as another provider which has been t-Scheme certified, so we have agreed that there is no need for a second certification of the same system". That's not what was promised.

The Post Office allowed its application for a certificate of trustworthiness to lapse a year ago, on 24 February 2015. Users who think they are registering with the Post Office are actually registered behind the scenes with a different "identity provider", Digidentity.

It's not just the Post Office. Barclays aren't certified and neither are Safran Morpho. And PayPal, another "identity provider", haven't even applied for certification.

Mr Dunn's assertion that "identity providers" are all certified is simply false.

N This is wrong. Safran Morpho do not limit their liability to £100.But not only are all "identity providers" certified according to Mr Dunn, they are also "liable to their users if they fail to meet the required standards". Not very liable.

Take a look at Safran Morpho's terms and conditions, for example. Their GOV.UK Verify (RIP) offering to users is called "secureidentity" and:
  • According to clause 11.3 they're not liable for any "loss or damage suffered by You which was not a reasonably foreseeable or obvious consequence of Us breaching these Terms and Conditions".
  • Then there are four more clauses about things they're not liable for, before at clause 11.8 they say that "Our aggregate liability to You arising out of or in connection with the Identity Service shall not exceed £100".
  • And then clause 11.9 tells users that "Our liability to You shall not include the following business losses that You may incur: lost business data, lost profits, lost earnings, business interruption, and loss of opportunity or reduction in the value of an asset ...".
That elaboration of the creed is not spoken out loud by Mr Dunn.

The creed explicitly includes "putting in place protection and monitoring to protect the service from attack" and "meeting high standards for security". But it excludes any answer to the review of GOV.UK Verify (RIP) conducted by four academics who identified a number of security holes – holes which are not filled by simply repeating the creed.

You'd think that that would be all, wouldn't you.

Well you'd be wrong.

Mr Dunn says that "there are 10 services currently available to the public through GOV.UK Verify [RIP] ...". The GOV.UK performance dashboard for GOV.UK Verify (RIP) only lists nine under Government services, not ten.

One of the government services GOV.UK Verify (RIP) is meant to be connected to is Apply for Universal Credit. Use the Apply in Croydon, Hounslow, Southwark or Sutton button with an appropriate post code and you'll see this:

No sign of GOV.UK Verify (RIP).

Ditto if you use the If you live elsewhere/Start now button, no sign of GOV.UK Verify (RIP), what you'll see is:

There is a stray webpage called Sign in with GOV.UK Verify [RIP] - Universal Credit. Try signing in to Universal Credit from there using GOV.UK Verify (RIP), and you're met with:

There must now be a question whether GOV.UK Verify (RIP) is connected to the Apply for Universal Credit government service at all. The creed seems to be blatantly false.

Famously, GDS's assertion that GOV.UK Verify (RIP) is connected to the Claim rural payments government service is definitely false. There is no such digital service. As the PAC say (p.5):
In March 2015, as a result of the failure of the online application system, the Department had reverted to a ‘paper-assisted digital’ system, requiring a significant amount of manual input and creating a large number of errors.
With GOV.UK Verify (RIP), when GDS promise connections to ten public services, what you get is nine public services, or eight or seven or ...

... and that's just too ambiguous. The creed must be clear. There are too many doubts. Doubts about the number of public services and the security of GOV.UK Verify (RIP) and the question whether its users will be compensated for any losses and the promise that all "identity providers" are certified trustworthy and the control its users have over their personal information and the extent to which GDS are being open with us and the problem of people being excluded and interoperability with other national identity assurance systems and the primacy of user needs and ...

That's not a creed. That's a confused mess. A confused mess that's going live in a few weeks time, in April 2016 if Mr Dunn is to be believed.

No comments:

Post a Comment